ViperSoftX Malware Exploits eBook Distribution for Stealthy PowerShell Execution
The sophisticated malware known as ViperSoftX has recently been detected in a new distribution method involving the use of eBooks shared through torrent sites. Since its first identification by Fortinet in 2020, ViperSoftX has become notorious for its ability to exfiltrate sensitive data from compromised Windows systems, exploiting continuous innovation by threat actors to enhance its stealth and efficacy.
Recent research by Trellix security experts Mathanraj Thangaraju and Sijo Jacob highlights a notable feature of the malware’s latest variant: its integration with the Common Language Runtime (CLR). This allows ViperSoftX to dynamically load and execute PowerShell commands within an AutoIt environment, significantly enhancing its capability to perform malicious operations without raising alarms. By utilizing CLR, the malware can merge PowerShell functionalities into its operations, evading detection mechanisms typically employed against standard PowerShell use.
Traditionally, vulnerabilities associated with software loopholes have been the main vector for ViperSoftX distribution. However, the emergence of eBook-based lures marks a new approach for threat actors. Hidden within these ostensibly benign eBook RAR archive files are deceptive Windows shortcut files. When executed, these shortcuts initiate a sophisticated multi-stage infection process, extracting and executing PowerShell code that reveals hidden folders and establishes persistence, enabling the launch of the ViperSoftX malware.
The researchers emphasize that AutoIt, by default, does not support CLR, but malicious actors have exploited the language’s user-defined functions (UDF) to access the CLR library. This grants them the ability to utilize PowerShell’s extensive capabilities for their invasive operations. ViperSoftX has been designed not only to gather system information but also to scan for cryptocurrency wallets via browser extensions and execute additional payloads, all while employing self-deletion mechanisms to complicate detection efforts.
The malware’s recent activity, including its role in the delivery of Quasar RAT and TesseractStealer, showcases its adaptability and continued relevance within the threat landscape. Outcome reports indicate that campaigns leveraging ViperSoftX frequently utilize cracked software programs and torrent platforms as delivery mechanisms, underscoring the persistent challenge of securing these widely used distribution channels.
Given the complexity and sophistication of ViperSoftX, potential adversary tactics may include methods aligning with the MITRE ATT&CK framework, such as initial access through deceptive file formats and exploitation of legitimate tools for persistence and privilege escalation. The malware’s ability to patch the Antimalware Scan Interface (AMSI) prior to executing PowerShell underscores its design to bypass traditional security defenses. This evasion technique exemplifies the ongoing battle between cybercriminals and cybersecurity professionals striving to protect sensitive information amidst a rapidly evolving digital threat landscape.
Businesses, particularly those with a significant online presence or reliance on digital assets, are encouraged to enhance their cybersecurity protocols in light of these emerging threats. Continued vigilance in monitoring for unusual activity and investing in advanced detection and response strategies can mitigate the risks associated with evolving malware like ViperSoftX.
